External attackers aren’t the only threats modern organizations need to consider in their cybersecurity planning. Malicious, negligent, or compromised users are a serious and growing risk as well. Insider threat incidents have risen 44% over the past two years, with costs per incident up more than 33% to $15.38 million according to Ponemon Institute’s 2022 report.
Insider threat defined
The term “insider threat” encompasses a breach tactic and names a type of malicious actor. Advanced persistent threats (APTs), a disgruntled employee, the contractor who uses his or her corporate email address to sign up for fast food rewards—these groups and individuals are all described by the DOJ as witting or unwitting actors.
Advanced Persistent Threats
The most-headlined insider threats, APTs, commonly carry access to state-sponsored resources (lucrative assets, tested experience, access to digital-age weapons) and are in part tied to a broader intelligence collection or destructive campaign. Their collection efforts are contingent on secrecy. If a threat actor cannot stay hidden while conserving his or her placement and access, the mission fails.
Phishing, spear phishing, and whaling, tactics used by APTs and run-of-the-mill threat actors, are prolific because targeted users possess the placement and access the threat actor needs.
It costs an attacker minimal time and resources to send a malicious email and apply a level of anonymity hiding his or her real intent. Online black markets offer pre-built attack tools like phishing-as-a-service for sale, enabling non-sophisticated actors to launch successful and sophisticated attacks.
Establishing threat-aware best practices
Further, most information needed to fuel phishing is readily available to the public through data breaches, social networking sites, and organization pages containing contact details. Organizations must establish the right policies for employees, ensuring official best practices reduce the risk of a successful phishing attack.
For example, a policy limiting where or how an employee can share his or her organizational email address prevents an online retailer breach revealing your organization’s email naming convention. Non-disclosure agreements signed during onboarding and yearly training events reinforce policy. Programs like red team phishing also provide fantastic checks and balances, ensuring an organization is not complacent.
Day after day, massive data breaches, leaks, and misconfigurations on network devices allow an attacker the opportunity to weaponize compromised data once it becomes available. The right policies, recognition training, and employee attitudes deter threat-actor access through social engineering.
Placement and access
On an organizational level, your IT team, the people who operate, manage, and defend the network, often have the most vital thing an internal or external insider threat needs: placement and access to sensitive information, technology, and intellectual property.
Human + technology combat
Encourage and train employees to be vigilant in the role they fulfill. When you consider the motive of an insider threat, ask if he or she was aware or unaware of the implications. An attacker with unauthorized placement and access to confidential financial information would indeed be an aware network-based insider threat. However, an accountant who accidentally opened a phishing email didn’t set out to harm the organization.
Deploying insider threat detections and data loss preventions to detect data exfiltration, privilege abuses, application misuses, unauthorized access, risky but “accidental” or “anomalous” behavior are also quite effective strategies.
We’re all defenders
In the cyberworld of insider threats, each employee is a defender. Both the organization and the individual employee is responsible for protecting against insider threats. Your organization can (and should!) enable technological accountability and tight monitoring, but only human defenders can directly counter human threat actors. Encourage your employees’ ability to think past an attacker’s tactics and train them to notice red flags. People aware and comfortable with a process create an active, aware technology environment.